Talos Vulnerability Report

TALOS-2016-0246

Invincea Dell Protected Workspace Protection Bypass

June 30, 2017

CVE Number

CVE-2016-8732

Summary

Multiple security flaws exists in InvProtectDrv.sys which is a part of Invincea Dell Protected Workspace 5.1.1-22303. Weak restrictions on the driver communication channel and additonal insufficient checks allow any application to turn off some of the protection mechanisms provided by the Invincea product.

Tested Versions

Invincea Dell Protected Workspace build 5.1.1-22303

Product URLs

CVSSv3 Score

7.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

This vulnerability is present in the InvProtectDrv.sys driver which is a part of the Invincea Dell Protected Workspace. This product provides sandbox functionality for Windows environments. Due to weak permissions on the driver communication channel and ineffective additional checks, any malicious application
can communicate with driver and turn off some of the security functionality provided by this product.

Let's investigate these flaws. The InvProtectDrv.sys driver creates a communication port via the FltCommunicationPort with weak security descriptions allowing any user to communicate with this port.
The vulnerable code looks as follows:

The amount of applications to can connect with this port is limited to one but because the connection is occupied by a user mode application which is not protected, malicious application can kill the InvProtectAgent.exe process and connect to the port.

The Routine responsible for handling messages sent to the driver is at line 20MessageNotifyCallback. One of the functionalities of this communication channel is to apply new policies to the sandbox.

As we can see, before the new policy is applied, the location of the application which sent it is checked. There are a couple of absolute application paths defined and only applications from this paths are able to satifisy this constraint.
Let's take a look at the checkApplicationLocation function:

Because the standard installation directory of the executable files listed in this array is C:\Program Files\Invincea\Enterprise, an unprivileged user can't put a malicious executable in that location.
To bypass that check attacker can use the RunPE technique on one of the executables listed in the allowedApps array. That way, the executable path check will be satisfied.
After bypassing this check, the attacker needs to provided a properly formatted buffer to trigger specific actions. Examining the process reveals that the structure of the inputBuffer contains a new policy that looks as follows: